CVE-2025-41376

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-41376

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-41376.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-41376

Published

2025-08-01T13:15:27.450Z

Modified

2026-04-10T05:26:29.451597Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

[none]

Details

CRLF Injection vulnerability in Limesurvey v2.65.1+170522. This vulnerability could allow a remote attacker to inject arbitrary HTTP headers and perform HTTP response splitting attacks via '/index.php/survey/index/sid/<SID>/token/fwyfw%0d%0aCookie:%20POC'.

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-limesurvey

Affected packages

Git / github.com/limesurvey/limesurvey

Affected ranges

Type

GIT

Repo

https://github.com/limesurvey/limesurvey

Events

Introduced

d74e427319990e9ed933166109771da1020f8d7e

Fixed

2ef1525baed6eb977b5aa50ed02b26bb072a483c

Database specific

{
    "versions": [
        {
            "introduced": "2.65.1"
        },
        {
            "fixed": "3.0.0"
        }
    ]
}

Affected versions

2.*

2.65.0+170522

2.65.1+170522

2.65.2+170606

2.65.4+170612

2.66.6+170619

2.67.0+170622

2.67.1+170626

2.67.2+170719

2.67.2+170728

2.67.3+170728

2.71.0+170925

2.71.1+170927

2.72.0+171010

2.72.2+171017

2.72.3+171020

2.72.4+171110

2.72.5+171121

2.72.6+171207

2.73.0+171219

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-41376.json"